The Breach Notification Rule
The HIPAA Breach Notification Rule was a large expansion to HIPAA that requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI.
The Breach Notification Rule was added to HIPAA in 2009 to say that in the event of a breach of PHI, covered entities and their business associates are required to notify all affected individuals. This came after many years where HIPAA was in place but was not being carefully followed by covered entities and their associates. The Breach Notification Rule adds to one of the original goals of HIPAA which was to give individual’s rights to their own healthcare information. Under this aim of the law, it is important that people be specifically notified when their information has been compromised through a breach.
What constitutes a breach?
A breach, as defined by the Breach Notification Rule, is any unauthorized use or sharing of protected health information (PHI) that jeopardizes the security and privacy of that person’s information. A HIPAA breach can be due to unauthorized access by an employee, a third party, a ransomware attack or improper disclosures.
Notifications are only required by HIPAA for breaches of PHI that is not secured. This is one of the key reasons that covered entities and their associates need to be using the proper encryption and destruction techniques on all devices and software. When these precautions have been taken, the PHI should be unreadable or unusable by any unauthorized person that attempts to access it unless they have also obtained the key to the information.
What are the HIPAA Breach Notification Requirements?
As mentioned above, when a breach occurs within a covered entity or their business associates, they are required to notify all the people who are reasonably believed to have been affected, as quickly as possible after they discover the breach.
The organization is required to issue the notifications “without reasonable delay” following the discovery of the breach. Although it should happen as soon as possible, HIPAA fines can be issued if the notifications are not sent without 60 days of discovery.
The Breach Notification Rule mandates that the notifications of a breach of unsecured PHI must be sent to each individual in written form, by first-class mail. If an individual has elected to receive notices via email, then the notice can be sent that way instead of through the mail. The letter is to tell what happened, what information was taken, how the entity is responding and how they will prevent breaches in the future. The victims of the breach should also be provided with a phone number and address where they can direct their concerns.
The Covered Entities are also required to notify Health and Human Services (HHS) of the breach. If the breach affected less than 500 people, this must be done within a few months of the end of the year in which the breach took place. However, if the breach affected more than 500 individuals, then HHS must be notified in that 60 day period. Additionally, for the over 500 person breaches, the organization must notify a major local print or broadcast media outlet of the breach.
If while issuing breach notifications, it is discovered that an organization does not have up-to-date contact information for 10 or more of the affected parties, then a substitute notice must be posted. A substitute notice should contain all of the information that was sent in the original notice and should be posted on the company website. This notice must be displayed or linked in a prominent way on the homepage, for at least 90 consecutive days. The substitute notice should also contain the toll free number or address that was sent in the written notices so that website viewers can verify if their information was stolen. If there are less than 10 people who fall into this substitute category, then they can be notified via alternate address written notice or a telephone call.
Penalties for Breach Notification Violations
Covered entities that violate the Breach Notification Rule are subject to fines by their state Attorney General or the HHS Office for Civil Rights. All 50 states have enacted their own state legislation regarding the notification of individuals after a security breach. In order to find out the specific laws within your state, click here.
Healthcare organizations have a duty to keep their patient’s identifiable health information secure and protected from unauthorized access or hacking. The Breach Notification Rule was passed to set the standards for covered entities notifying affected individuals of breaches of their protected health information. Organizations should prepare procedures to follow ahead of time so that in the event of a breach, they are able to issue notifications to the affected people as quickly as possible. Covered Entities and business associates that neglect the policies laid out by the Breach Notification Rule can be subject to fines, lawsuits and a significantly damaged reputation.